GDPR

Introduction

The European Union (EU) has taken a monumental step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will be effective from May 25, 2018. The EU regulation can be accessed HERE.

Simply put, EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents' personal data in any manner, irrespective of location, has obligations to protect the data. GRC Sphere is well aware of its role in providing the right tools and processes to support its Members, users and customers by meeting the GDPR mandate with our Binding Corporate Rules (BCR’s) and readiness methods, tools and training.

GRC Sphere GDPR Readiness

The following policy information makes up GRC Sphere’s GDPR readiness and Corporate Binding Rules which spans both data controllers and data processors.

Once you have read the sections of our Policy below, please contact us if you have any…

Questions, Concerns and Comments:

What is GDPR?

A new comprehensive data protection law in the EU that updates existing laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state.

What does GDPR regulate?

The GDPR regulates the “control” AND “processing,” which includes the collection, storage, transfer or use, of personal data about EU individuals. Any organization that processes personal data of EU individuals, including tracking their online activities, is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).

How does GDPR change privacy law?

The GDPR provides more privacy rights to EU individuals and places significant obligations on organizations. Some of the key changes are:

Expanded rights for EU individuals:

The GDPR provides expanded rights for EU individuals such as deletion, restriction, and portability of personal data.

Data breach notification and security:

The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.

New requirements for profiling and monitoring:

The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.

Binding Corporate Rules (BCR’s):

The GDPR officially recognizes BCRs (which GRC Sphere offers for certain of its services) as a means for organizations to legalize transfers of personal data outside the EU.

Enforcement:

Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred.

One stop shop:

The GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.

Does GDPR require that EU personal data to stay in the EU?

No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. GRC Sphere’s Data Processing Addendum, which references our Binding Corporate Rules, Privacy Shield certification, and the European Commission’s model clauses, will continue to help our customers legalize transfers of EU personal data outside of the EU.

Where can I learn more about GDPR?

Additional information about the GDPR is available on the official GDPR website of the EU which is shown HERE.

What has GRC Sphere done to get ready to comply with GDPR?

Establish Controls and Processes:

GRC Sphere has an understanding of its data and our team has created a roadmap of necessary operational and technological changes. Our roadmap ensures that our organization has appropriate controls and processes, such as:

Privacy notices:

Privacy notices are provided wherever personal data is collected, including the use of website cookies and tags.

Usage limitations:

Administrative and technological controls are used to limit our organization’s use of data to the purposes for which it collected the data.

Security:

Data subject rights:

Mechanisms and procedures are needed to manage data subject to concent preferences and respond to complaints and requests for access, rectification, restriction, portability, and deletion.

Vendor management:

GRC Sphere must have contracts with affiliates, vendors, and other third parties that collect or receive personal data, including standard contractual clauses or other mechanisms to legalize data transfers outside the EU.

Incident response:

GRC Sphere processes must be created to detect and respond to security breaches, including remediating the breach and notifying all necessary parties.

Training:

GRC Sphere’s employee and vendor training must be delivered to raise awareness regarding privacy policies, processes, and requirements, as well as to report concerns and suspicious data activity.

Assessments:

GRC Sphere data protection impact assessments must be conducted for each high risk data processing activity.

1. Introduction

GRC Sphere and its affiliates are committed to achieving and maintaining customer trust. Integral to this mission is providing a robust security and privacy program that carefully considers data protection matters.

In accordance with the EU Data Protection Directive and implementing national legislation, the GRC Sphere Data Controller and Processor BCR is intended to provide an adequate level of protection for Personal Data during international transfers within the GRC Sphere business made on behalf of Customers and under their instructions.

2. Definitions

Controller means controller, as defined in the EU Data Protection Directive. The term “controller” is defined in the EU Data Protection Directive as “the natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law.”

Customer means (i) a legal entity with whom a Member or User of the GRC Sphere business has executed acontract to provide the Services (or a legal entity placing a subscription or product order under such contract) and suchcontract incorporates by reference the GRC Sphere Data Controller and Processor BCR or (ii) a legal entity with whom amember of the GRC Sphere business has executed a contract under which the legal entity is entitled toresell the Services to its end customers and such contract incorporates by reference the GRC Sphere Data Controller and Processor BCR.

Personal Data means personal data, as defined in the EU Data Protection Directive, when such datais submitted to the Services. The term “personal data” is defined in the EU Data Protection Directiveas “any information relating to an identified or identifiable natural person (‘data subject’); anidentifiable person is one who can be identified, directly or indirectly, in particular by reference to anidentification number or to one or more factors specific to his physical, physiological, mental,economic, cultural, or social identity.”

Processor means processor, as defined in the EU Data Protection Directive. The term “processor” isdefined in the EU Data Protection Directive as “a natural or legal person, public authority, agency, orany other body which processes personal data on behalf of the controller.”

For clarity, a Member, Customer or User (as defined in Section 2) may be a Controller or a Processor of Personal Data. Where a Member, User or Customer is a Processor of Personal Data, the GRC Sphere business shall process Personal Data as sub-processors on behalf of the Controller. Instructions from the Controller regarding the processing Personal Data shall be given through the Processor.

GRC Sphere Data Controller and Processor BCR

GRC Sphere’s business means GRCsphere.org.com and its affiliate sub-processors of Personal Data,whose names will be made available here in the future when they are added.

Services means the online services provided to Members, Users and Customers by the GRC Sphere business, as listed inAppendix A.

3. Scope and Application

The purpose of the GRC Sphere Data Controller and Processor BCR is to govern cross-border transfers of Personal Data to andbetween members of the GRC Sphere business, and to third-party sub-processors (in accordance with writtenagreements with any such third-party sub-processors) when acting as Processors and/or sub-processors on behalf and under the instructions of Customers.

(a) Customers established in EEA member states whose processing activities for the relevant data are governed by the EU Data Protection Directive and implementing national legislation; and

(b) Customers established in non-EEA member states for which the customer has contractually specified that the EU Data Protection Directive and implementing national legislation shall apply.

The GRC Sphere business may update the Data Controller and Processor BCR with approval from the GRC Sphere’s appointed privacy leader, general counsel and compliance officer. All changes to the GRC Sphere Data Controller and Processor BCR shall be communicated to members of the GRC Sphere business.

The GRC Sphere’s appointed privacy leader shall be responsible for keeping a fully updated list of the Members, Users and Customers of the GRC Sphere business and third-party sub-processors and making appropriate notifications to Customers and the CNIL in its capacity as lead authority for the GRC Sphere Data Controller and Processor BCR.

GRC Sphere business shall not transfer Personal Data to a new member of the GRC Sphere business until such Member is appropriately bound by and complies with the GRC Sphere Data Controller and Processor BCR.

The GRC Sphere business shall make the most current version of the GRC Sphere Data Controller and Processor BCR, including the Members of the GRC Sphere business, available at http://GRCsphere.org. Significant changes to the GRC Sphere Data Controller and Processor BCR and/or the list of Members, Users and Customers of the GRC Sphere business will be reported (a) in a timely fashion to Customers and (b) once per year to the relevant data protection authorities accompanied by a brief explanation of the changes.

4. Responsibilities TowardsMembers, Users and Customers

A. General Obligations

The GRC Sphere business and its employees shall comply with the GRC Sphere Data Controller and Processor BCR, process Personal Data only upon a Customer’s instruction and shall have a duty to respect the security and confidentiality of Personal Data, pursuant to the measures provided in the contracts executed with Customers.

B. Transparency and Cooperation with Customers

The GRC Sphere business undertakes to be transparent regarding its Personal Data processing activities and to provide Members, Users and Customers with reasonable cooperation within a reasonable period of time to help facilitate their respective data protection obligations regarding Personal Data.

C. Data Subject Rights

Members of the GRC Sphere business act as Processors on behalf of Customers. As between the GRC Sphere business and Customers, Customers have primary responsibility for interacting with Data Subjects, and therole of the GRC Sphere business is generally limited to assisting Customers as needed.

i. Access, Correction, Amendment or Deletion Requests

The GRC Sphere shall promptly notify a Member, User or Customer if the GRC Sphere business receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. The GRC Sphere shall not respond to any such Data Subject request without the Customer’s prior written concent except to confirm that the request relates to that Customer.

The GRC Sphere business shall provide Customers with cooperation and assistance in a reasonable period of time and to the extent reasonably possible in relation to any request regarding Personal Data to the extent Customers do not have access to such Personal Data through their respective uses of the Services.

ii. Handling of Complaints

The GRC Sphere Privacy department shall be responsible for handling complaints related to compliance with the GRC Sphere Data Controller and Processor BCR.

Data Subjects may lodge a complaint about processing of their respective Personal Data that is incompatible with the GRC Sphere Data Controller and Processor BCR by contacting the relevant Customer or the GRC Sphere Privacy department at the email address [email protected]. The GRC Sphere business shallpromptly communicate the complaint to the Customer to whom the Personal Data relates.

Customers shall be responsible for responding to all Data Subject complaints forwarded by the GRC Sphere business except in cases where a Customer has disappeared factually or has ceased to exist in law orbecome insolvent. Where the GRC Sphere business is aware of such a case, it undertakes to respond directly to Data Subjects’ complaints within thirty (30) days, including the consequences of the complaint and further actions Data Subjects may take if they are unsatisfied by the reply (such as lodging a complaint before the relevant data protection authority).

D. Regulatory Inquiries and Complaints

The GRC Sphere business shall, to the extent legally permitted, promptly notify a Customer if the GRC Sphere business receives an inquiry or complaint from a data protection authority in which that Customer isspecifically named. Upon a Customer’s request, the GRC Sphere businessshall provide the Customer with cooperation and assistance in a reasonable period of time and to the extent reasonably possible in relation to any regulatory inquiry or complaint involving the GRC Sphere’s business processing of Personal Data.

5. Description of Processing Operations and Transfers

A. Purpose Limitation

The GRC Sphere business shall process Personal Data only for the following purposes: (i) processing inaccordance with a Customer’s instructions set forth in the Customer’s contract with a member of the GRC Sphere business; and (ii) processing initiated by the Customer in its use of the Services. If the GRC Sphere business cannot comply with such purpose limitation, a member of the GRC Sphere business shallpromptly notify the relevant Customer, and such Customer shall be entitled to suspend the transfer ofPersonal Data and/or terminate the applicable order form(s) in respect to only those Services whichcannot be provided by the GRC Sphere in accordance with such Customer’s instructions. On thetermination of the provision of such Services, the GRC Sphere business and third-party sub-processors shall,at the choice of the Customer, return the Personal Data to the Customer and/or delete the Personal Data as set forth in the applicable customer contract.

B. Data Quality

Customers have access to, and control of, Personal Data in their use of the Services. To the extent a Customer, in its use of the Services, does not have the ability to anonymize, correct, amend or delete Personal Data, as required by applicable laws, the GRC Sphere business shall comply with any request by a Customer in a reasonable period of time and to the extent reasonably possible to facilitate such actions by executing any measures necessary to comply with the law, in a reasonable period of time and to the extent reasonably possible to the extent the GRC Sphere business is legally permitted to do so. The GRC Sphere business will, to the extent reasonably required for this purpose, inform each member of the GRC Sphere business to whom the Personal Data may be stored of any anonymization, rectification, amendment or deletion of such data. If any such anonymization, correction, amendment or deletion request is applicable to a third-party sub-processor’s processing of Personal Data, the GRC Sphere business shall communicate such request to the applicable third-party sub-processor(s).

C. Sub-processing

i. Sub-processing Within the GRC Sphere business

As set forth in applicable contracts with Customers, Members of the GRC Sphere business may be retained assub-processors of Personal Data, and depending on the location of the GRC Sphere business member,processing of Personal Data by such sub-processors may involve transfers of Personal Data. The GRC Sphere Data Controller and Processor BCR extends to all Members of the GRC Sphere business.

ii. Sub-processing by Third Parties

As set forth in applicable contracts with Customers, Members of the GRC Sphere business may retain thirdpartysub-processors, and depending on the location of the third-party sub-processor, processing ofPersonal Data by such sub-processors may involve transfers of Personal Data. Such third-party sub-processorsshall process Personal Data only (i) in accordance with the Customer’s instructions set forth in the Customer’s contract with a Member of the GRC Sphere business; or (ii) if processing is initiated by theCustomer in its use of the Services. The current list of third-party sub-processors engaged in processingPersonal Data, including a description of their processing activities, is available at here. Such third-partysub-processors have entered into written agreements with a member of the GRC Sphere business inaccordance with the applicable requirements of Articles 16, 17, 25 and 26 of EU Data Protection GRC Sphere Data Controller and Processor BCR Directive and Sections 3 – 10 of the GRC Sphere Data Controller and Processor BCR as applicable to the third-party sub-processor’s processing activities.

iii. Notification of New Sub-processors and Objection Rights

As set forth in applicable contracts with Customers, the GRC Sphere business shall provide Customers withprior notification before a new sub-processor begins processing Personal Data. Within thirty (30) days ofreceiving such notice, a Customer may object to the GRC Sphere’s use of a new sub-processor subject to the following:

It would be unreasonable for a Customer to object to a new sub-processor that is a member of the GRC Sphere business if (a) the sub-processor is subject to the GRC Sphere Data Controller and Processor BCR; and (b) hasachieved a third-party, internationally-recognized security certification (e.g., ISO 27001) unlessthe Customer demonstrates reasonable suspicion that the new sub-processor will not be able tocomply with its obligations under the GRC Sphere Data Controller and Processor BCR.

Unless a Customer demonstrates reasonable suspicion that a new third-party sub-processorintroduces unreasonable risk to the protection of Personal Data (e.g., a history of securitybreaches), it would be unreasonable for a Customer to object to a new third-party sub-processor if(a) the new third-party sub-processor is located in a country that provides an adequate level ofprotection per the European Commission or has entered into a contract with a member of the GRC Sphere’s business containing the applicable requirements of the European Commission’scontroller-to-processor standard contractual clauses; and (b) the new third-party sub-processorhas passed the GRC Sphere’s vendor security evaluation based on a third-party,internationally-recognized security framework.

In the event a Customer objects to a new sub-processor, and that objection is not unreasonable under thestandards described above, the GRC Sphere business will use reasonable efforts to make available to theCustomer a change in the Services or recommend a commercially reasonable change to the Customer’sconfiguration or use of the Services to avoid processing of Personal Data by the objected-to new sub-processorwithout unreasonably burdening the Customer. If the GRC Sphere business is unable to makeavailable such change within a reasonable period of time, which shall not exceed sixty (60) days, theCustomer may terminate the applicable order form(s) in respect only to those Services which cannot beprovided by the GRC Sphere business without the use of the objected-to new sub-processor by providing written notice to the Member of the GRC Sphere business with whom the customer has contracted. SuchCustomer shall receive a refund of any prepaid fees for the period following the effective date oftermination for such terminated Services.

6. Confidentiality and Security Measures

A. Confidentiality and Training

The GRC Sphere business shall ensure that its personnel engaged in the processing of Personal Data areinformed of the confidential nature of the Personal Data, have executed written confidentiality agreementsand have received appropriate training on their responsibilities. Additionally, the GRC Sphere business shallensure that its personnel responsible for the development of tools used to process Personal Data havereceived appropriate training on their responsibilities. The GRC Sphere business shall also ensure that itspersonnel engaged in the processing of Personal Data are limited to those personnel who require suchaccess to perform the GRC Sphere business obligations under applicable contracts with Customers.

B. Data Security

The GRC Sphere business shall maintain appropriate administrative, technical and physical safeguards forprotection of the security, confidentiality and integrity of Personal Data, as set forth in applicablecontracts with Customers. The GRC Sphere business regularly monitors compliance with these safeguards.

The GRC Sphere business will not materially decrease the overall security of the Services during aCustomer’s applicable subscription term.

C. Security Breach Notification

In the event a member of the GRC Sphere business becomes aware of any unauthorized access to ordisclosure of Personal Data, the GRC Sphere business will promptly notify affected Customers to the extentsuch notification is permitted by applicable law.

D. Audits

The GRC Sphere business shall maintain an audit program to help ensure compliance with the GRC Sphere Data Controller and Processor BCR, including the following third-party audits and certifications, internal verification andaudits by Customers. The audit program covers all aspects of the GRC Sphere Data Controller and Processor BCR, includingmethods for ensuring non-compliance is addressed.

i. Third-Party Audits and Certifications

The following third-party audits and certifications are applicable to the Services. The GRC Sphere agrees to maintain such audits and certifications, or their successors as soon as the company is financially able to meet the financial obligations for these control requirements.

ISO 27001 certification: The GRC Sphere plans on securing an information securitymanagement system (ISMS) in accordance with the ISO 27001 international standard. Membersof the GRC Sphere business who have achieved ISO 27001 certification for their ISMS from anindependent third party will be brought into the business to help us meet the requirements of the certification.

SSAE 16 Service Organization Control (SOC) reports: The GRC Sphere’s informationsecurity control environment applicable to the Services undergoes an independent evaluation inthe form of SSAE 16 Service Organization Control (SOC) reports, which are available toCustomers upon request.

ii. Internal Verification

The GRC Sphere business plans on appointing a network of privacy personnel responsible for overseeing andensuring compliance with the GRC Sphere’s data protection responsibilities at a local and globallevel, including compliance with this GRC Sphere Data Controller and Processor BCR, advising management on data protectionmatters, liaising with data protection authorities, and handling data protection-related complaints. Each Member of the GRC Sphere businesswill be assigned such a member of network of privacy personnel. Suchprivacy personnel will be primarily responsible for privacy-related matters and report to the GRC Sphere business’ appointed privacy leader, who will report to the GRC Sphere’s general counsel, and benefitfrom the support of the GRC Sphere’s top management. The GRC Sphere will appoint a privacyleader who will be responsible for the GRC Sphere’s business compliance with applicable privacy and data protectionlaws and leads the GRC Sphere’s business network of privacy personnel. The GRC Sphere will appoint a network of privacy personnel who will have regional responsibility for the GRC Sphere’s compliance with applicableprivacy and data protection laws.

The GRC Sphere’s compliance department will be put in place to conduct an annual assessment of GRC Sphere’s compliance with the GRC Sphere Data Controller and Processor BCR, which is provided to GRC Sphere’s appointed privacy leader, compliance officer and GRC Sphere’s board of directors. Such anassessment shall include any necessary corrective actions, timeframes for completing such correctiveactions, and follow up by GRC Sphere’s compliance department to ensure such corrective actions have beencompleted.

iii. Customer Audits

Upon a Customer’s request, and subject to appropriate confidentiality obligations, the GRC Sphere businessshall make available to the Customer (or such Customer’s independent, third-party auditor that is not acompetitor of the GRC Sphere business) information regarding the GRC Sphere business and third-party sub-processors’compliance with the data protection controls set forth in this GRC Sphere Data Controller and Processor BCR. Thisincludes providing the requesting Customer a report of the GRC Sphere’s audits of third-partyprocessors, which Customers instruct the GRC Sphere business to conduct in their applicable contracts.

A Customer (or such Customer’s independent, third-party auditor that is not a competitor of theGRC Sphere business) may also request to conduct an on-site audit of the architecture, systems andprocedures relevant to the protection of Personal Data at the locations where Personal Data is stored,including applicable members of the GRC Sphere business and third-party sub-processors, by following theinstructions set forth in its applicable contract. Customers shall reimburse the GRC Sphere business for anytime expended by the GRC Sphere business or its third-party sub-processors for such on-site audit at theGRC Sphere’s then-current professional service rates, which shall be made available to Customersupon their request. Before any such on-site audit commences, the requesting Customer and the GRC Sphere business shall mutually agree upon the scope, timing, and duration of the audit in addition to thereimbursement rate for which the Customer shall be responsible. All reimbursement rates shall bereasonable, taking into account the resources expended by the GRC Sphere business or its third-party sub-processors.

As set forth in applicable contracts with Customers, a Customer who performs an audit in accordancewith this Section must promptly provide the GRC Sphere business with information regarding any noncompliancediscovered during the course of an audit.

7. Third-Party Beneficiary Rights

Data Subjects may directly enforce against GRC Sphere’s business designee in the EU if and when it has been established in the future Sections 3 – 10 of the GRC Sphere Data Controller and Processor BCR as third-party beneficiaries. Such third-party beneficiary rights shall be limited to thosesituations where a Data Subject is unable to bring a claim against the relevant Customer because suchCustomer has factually ceased to exist in law or become insolvent and has not named a successor entity toassume the legal obligations of the Customer.

Additionally, Data Subjects may directly enforce against third-party sub-processors breaches of thewritten agreement with members of the GRC Sphere business which relate to the third-party sub-processors’obligations to comply with Sections 3-10 of the GRC Sphere Data Controller and Processor BCR, as applicable to the thirdpartysub-processor’s processing activities, as third-party beneficiaries. Such third-party beneficiaryrights shall be limited to those situations where a Data Subject is unable to bring a claim against therelevant Customer and members of the GRC Sphere business because such entities have factually ceased to exist in law or become insolvent and have not named successor entities to assume their respective legalobligations. Such third-party liability of third-party sub-processors shall be limited to their ownprocessing operations.

In accordance with Section 8 of the GRC Sphere Data Controller and Processor BCR, a Data Subject’s third-party beneficiaryrights, if applicable, shall cover judicial remedies for any breach of the rights provided in the GRC Sphere Data Controller and Processor BCR and the right to receive compensation for damages.

To enforce the above rights, a Data Subject shall, in addition to the right to lodge a complaint as set forthin Section 4.C. of the GRC Sphere Data Controller and Processor BCR, be entitled to lodge a complaint before the competentdata protection authority and/or, at the Subject’s choice, to commence claims within the jurisdiction of theEU-based member of the GRC Sphere business at the origin of the transfer or of GRC Sphere businesses which may be set up in the future.

In case no member of the GRC Sphere business is established in the EU, the Data Subject shall be entitled tolodge a complaint before the data protection authorities or courts of his or her place or residence. If morefavorable solutions for Data Subjects exist according to national law, then they would be applicable.

8. Liability and Enforcement

GRC Sphere’s business contracts with Customers shall include a reference to the GRC Sphere Data Controller and Processor BCR. Inaccordance with such contracts, Customers shall have the right to enforce the GRC Sphere Data Controller and Processor BCR against the GRC Sphere business, including judicial remedies and the right to receive compensation. TheGRC Sphere business plans on appointingan EU-based designee to accept responsibility for and agree toremedy the acts of other members of the GRC Sphere business and third-party sub-processors for breaches ofthe GRC Sphere Data Controller and Processor BCR or of third-party sub-processors for breaches of the correspondingprovisions of the written agreements with members of the GRC Sphere business.

To the extent a Customer (or a Data Subject, if Section 7 of the GRC Sphere Data Controller and Processor BCR applies)demonstrates that a Data Subject has suffered damages and establishes facts showing that it is likely thatsuch damages have occurred because of the GRC Sphere’s business breach of Sections 4-10 of the GRC Sphere Data Controller and Processor BCR or a third-party sub-processor’s breach of a contract with a member of the GRC Sphere business, the GRC Sphere business shall be responsible for providing that it – or its third-party sub-processor –was not responsible for the breach giving rise to the damages or that no such breach took place. If GRC Sphere’s EU designee or another member of the GRC Sphere business can prove that the GRC Sphere business and its third-party sub-processors are not responsible for the act leading to the damages suffered bythe Data Subject, the GRC Sphere may discharge itself from any responsibility.

9. Cooperation with Data Protection Authorities

The GRC Sphere business shall cooperate with member state data protection authorities with jurisdiction overthe GRC Sphere business or competent for Customers, reply to any requests they make within a reasonabletime frame and abide by the advice and recommendations of the relevant member state data protectionauthorities regarding the interpretation and application of the GRC Sphere Data Controller and Processor BCR.

Upon request and subject to duties of confidentiality, the GRC Sphere business shall provide relevant memberstate data protection authorities with jurisdiction over the GRC Sphere business or competent for Customers(i) a copy of the GRC Sphere’s business annual assessment of compliance with the GRC Sphere Data Controller and Processor BCR and/or other documentation reasonably requested; and (ii) the ability to conduct an onsite audit of the GRC Sphere’sbusiness architecture, systems and procedures relevant to the protection of Personal Data.

10. Local Law Requirements

As set forth in applicable contracts with Customers, the GRC Sphere business shall comply with applicable law in its processing of Personal Data. Where applicable law requires a higher level of protection for Personal Data than provided for in the GRC Sphere Data Controller and Processor BCR, the local applicable law shall take precedence.

Where the GRC Sphere business reasonably believes that applicable law prevents it from fulfilling its obligations under the GRC Sphere Data Controller and Processor BCR or the instructions of a Customer, it shall promptly notify the GRC Sphere’s Privacy department in addition to affected Customers and the data protection authority competent for the Customer. In such a case, the GRC Sphere business shall use reasonable efforts to make available to the affected Customers a change in the Services or recommend a commercially reasonable change to the Customers’ configuration or use of the Services to facilitate compliance with applicable law without unreasonably burdening Customers. If the GRC Sphere business is unable to make available such change within a reasonable period of time, Customers may terminate the applicable order form(s) in respect to only those Services which cannot be provided by the GRC Sphere business in accordance with applicable law by providing written notice to the member of the GRC Sphere business with whom the customer has contracted. Such Customer shall receive a refund of any prepaid fees for the period following the effective date of termination for such terminated Services.

In accordance with applicable contracts with Customers, the GRC Sphere business shall communicate any legally binding request for disclosure of Personal Data by a law enforcement authority or state security body to the impacted Customer unless the GRC Sphere business is prohibited by law from providing such notification.

To the extent the GRC Sphere business is prohibited by law from providing such notification, the GRC Sphere business shall (1) review each request on a case-by-case basis; (2) use best efforts to request that the confidentiality requirement be waived to enable the GRC Sphere business to notify the appropriate data protection authority competent for the Customer and the CNIL in its capacity as lead authority for the GRC Sphere Data Controller and Processor BCR; and (3) maintain evidence of any such attempt to have a confidentiality requirement waived

On an annual basis, the GRC Sphere business shall provide the appropriate data protection authorities competent for impacted Customers and the CNIL with general information about the types of legally binding requests for disclosure of Personal Data the GRC Sphere business receives by law enforcement authorities.

Appendix A – Services to which the GRCSphere Data Controller and Processor BCR Applies

The GRC Sphere Data Controller and Processor BCR applies to the services branded as the following:

The GRC Sphere Member Services Platform, which provide Customer Relationship Management (CRM) application and a Content Management platform (Member Pavilion) upon which Members, Partners and Customers may configure their own customer or partner portal for the purpose of advertising products and services to GRC Sphere business members.